We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Protect ini files

Hello,

my whole sensitive config like db connection params is in confi.ini file. Maybe someone has already written .htaccess to prevent ini files from reading?

Thank you

edited Oct '14

Ideally you would not have the configuration files in the public web directory, it should be outside it. Your entire application (typically 'app' dir) should be outside the public directory. The bootstrap index.php file, and all static resources like CSS, JS, images, etc should be the only files in the public directory.

I can't do that because of server configuration. Ftp server is chrooted me at public_html.



6.9k
Accepted
answer
edited Oct '14

In that case you might be best using a .php file for the configuration, rather than a .ini

But if absolutely neccessarry, you can block access to the configuration directory by adding

deny from all

to your .htaccess If that doesn't work, just do

order deny,allow

deny from all